[BreachExchange] How to avoid being the next hospital breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 7 18:45:55 EDT 2016


http://www.csoonline.com/article/3091806/data-breach/how-to-avoid-being-the-next-hospital-breach.html

With all the talk about compliance and regulations, particularly when it
comes to patient data, it's confounding to read about all of the hospitals
that have been victims of breaches. One would think security teams in the
healthcare sector are bringing their A game when it comes to defending
their most valuable assets.

I've spoken with a couple security researchers and experts, so tomorrow's
post will also examine this topic as it seems to me that hospitals--the
very places that tend to the ill--are more and more the targets of illicit
acts by bad actors. Would it be unreasonable to request that even criminals
possess some code of ethics. Perhaps they might all take an oath to grant
immunity to the health care industry as a whole?

The latest breach of Massachusetts General Hospital suggests that the
hospitals, though, aren't the weak link as this breach was supply chain
related. Even for those who are doing all that they should be doing to
defense their environments, third parties still put them at risk.

Patterson Dental Supply, which provides software to the hospital to manage
dental practice information for a number of providers that includes the
Boston hospital, said that an unauthorized individual gained access to
electronic files on the company’s systems in early February.

The hospital said files contained some MGH dental practice information,
including the patient names, birthdays, Social Security numbers and — in
some instances — the type of dental appointment, provider name and medical
record number.

In a press release, the hospital said it began sending letters to affected
individuals and had set up a dedicated call center to answer questions.
Hospital spokesman Mike Morrison said though the hospital received
permission to begin notifying patients in late May, the hospital needed
time to identify which patients had been impacted.

MGH said the vendor has already enhanced the security of the systems that
maintain dental records, but many have questions about the increasing
security issues with third-party vendor management for the healthcare
industry.

Lysa Myers, senior researcher at ESET, said in order to avoid being the
next victim, do things like:

Mapping locations of sensitive data: Collaborate across all relevant teams
to determine which data—intellectual property, employee records, financial
information, credit card data—is considered sensitive by the organization.
Information security should audit for all locations of that sensitive data
on the network, as well as for the locations of copies of that data that
may be accessible to members of your vendor. Apply the principle of least
privilege: For example, don’t give users admin rights to their machines if
they don’t need it, and limit their ability to access parts of the network
they don’t legitimately need to use.

Building security assurances into vendor/partner agreements: Advise your
legal team to add a corporate data security and incident response policy
into vendor agreements and to stipulate compliance with them.

Adding depth and breadth to basic security practices: Recommended
protections include network segmentation, multi-factor authentication, and
strong passwords.

Encryption – Ask how vendors are protecting sensitive data since you and
the vendor should encrypt sensitive data as it’s sent over the network,
such as via the web or email.

"Working together, every department and manager involved with the supply
chain and partner organizations can build a safe environment. Doing so
before a cyber attack or accidental data breach occurs can close a critical
gap in your organization’s security posture," Myers said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160707/6bc543dc/attachment.html>


More information about the BreachExchange mailing list